SCADA security issues are no longer theoretical. At the SCADA Security Summit last week, asset owners spoke publicly (for the first time) about actual security breaches in water treatment plants and power distribution systems. It is time for NERC and FERC to refocus their rules to fix the actual problems or admit they cannot, and get out of the way. The one piece of good news comes from US Department of Homeland Security. DHS has helped the Multi-State ISAC, led by New York's Will Pelgrin, and the Idaho National Laboratory develop common procurement specifications so SCADA and PCS buyers can buy safer systems, and vendors know what is needed. Other nations at the Summit committed to helping expand and improve the procurement language and make sure it is widely adopted. The draft procurement specification document is available at: http://www.msisac.org/scada/
Added bonus: On Sunday, SANS announced the Top Ten developments in cyber security for the coming year. It is at the end of this issue.
************************************************************************* SANS NewsBites October 03, 2006 Volume: VIII, Issue: 78 *************************************************************************
********************** Sponsored By Imperva Inc. ************************
Get whitepaper "Top 5 Keys to What Database Auditors Want", to fast-track your SOX compliance - with Zero impact to IT staff & systems. Learn about the database audit requirements of: independence, accountability, granularity, scope & identifying what matters - with options on how to satisfy them. Achieve compliance AND keep priority IT projects/resources on track. http://www.sans.org/info/1383
Three Big SANS Training Conferences Coming Up in the Next Three Months Amsterdam, New Orleans, Washington, DC See http://sans.org/ How Good Are SANS Courses. ++ "I have attended courses by several of SANS rivals, and SANS blew them away." - Alton Thompson, US Marines ++ "This is the only conference/training I've ever attended at which I learned techniques and found tools I could apply immediately." - Dwight Leo, Defense Logistics Agency, DLA ++ "This program provided the opportunity to learn from many of the people who are defining the future direction of information technology" - - Larry Anderson, Computer Sciences Corp. ++ "The SANS classes have been uniformly excellent. To learn as much through traditional classes would have entailed weeks away from work." - - David Ritch, Department of Defense Programs are scheduled in more than 40 cities in the next few months or you can attend live classes (or on demand courses) without leaving your home. Schedule: http://www.sans.org/index.php
Power Companies and Pipelines Vulnerable to Cyber Attacks;Government/NERC Rules Ineffective
The Atlanta Journal-Constitution highlighted major vulnerabilities in the critical infrastructure. It recounted multiple successful attacks against control systems and emphasized that many organizations that run such systems are unaware of the vulnerabilities, describing them as "out of site, out of mind." It described the new cyber security rules developed by the North American Electric Reliability Council (NERC) as "so vague and open to interpretation that they'll be ineffective." -http://www.statesman.com/news/content/news/stories/nation/10/02/2scada.html
[Editor's Note (Paller): Utilities are already facing a first wave of extortion attacks as hackers use SCADA vulnerabilities to get in and then demand money to avoid doing damage and exposing the vulnerabilities. Those attacks will expand rapidly over the next year. Every technically competent SCADA security professional I have asked has strongly affirmed that NERC compliance does not correspond with effective security against hacker attacks. These NERC rules are a glaring example of competent security professionals being hamstrung by bureaucrats and lobbyists, so that they ended up forcing utilities and SCADA vendors to solve the wrong problems. The public deserves better leadership than that. ]
Dept. of Energy IG Says Federal Energy Regulatory Commission Still Faces Security Issues (29 September 2006)
A recent report from the US Energy Department's (DOE) inspector general (IG) found that while the Federal Energy Regulatory Commission (FERC) has made some progress in improving its cyber security, some problems identified in earlier audits remain unremedied. According to the report, FERC has "improved configuration management procedures to ensure that only current software versions are used and that user access privileges are restricted to the least level required." However, the report also found "that the agency failed to properly execute or adequately document security assessments and annual security reviews on four systems." The IG disagrees with FERC executive director Thomas Herlihy's response to the report that the problem involving blank, default and easy-to-guess passwords is insignificant; even a small number of accounts with weak password protection could expose the agency's computer systems to malware. -http://www.govexec.com/story_page.cfm?articleid=35155&printerfriendlyVers=1& amp; -http://www.ig.energy.gov/documents/OAS-M-06-10.pdf [Editor's Note (Honan): If FERC executive director Thomas Herlihy believes the problem involving blank, default and easy-to-guess passwords is insignificant, then FERC has a long road ahead in securing their environment. (Schultz): Mr. Herlihy's response shows that the root cause of FERC's security problems is lack of senior management security awareness. **Mr. Herlihy responds: The IG report did not find any material weaknesses in FERC's program, and evaluated the Commission's certification and accreditation program as "Excellent." In the scorecard for agencies, we were rated an "A". It was the Department of Energy that failed. That said, let me address the IG's report with a bit more specificity. Of some 3,000 accounts, the IG audit found 12 passwords that were weak or easily guessed, 20 user accounts were not closed within the requisite 90 days, and we used an alternative but acceptable method of documenting our security assessment. My response to the IG was intended to put context into the IG report, which we believed lacked balance. We take computer security seriously and we agree that our systems can never be secure enough. We are working to eliminate all vulnerabilities. We value the IG's input, and will continue our efforts to improve this excellent program and bring our cyber security risks as close to zero as possible. ]
CO Judge Lambastes Voting Machine Certification Methods but Allows Their Use in Election (2 October & 27 September 2006)
Despite calling the state's methods for certifying electronic voting machines "abysmal," Denver District Judge Lawrence Manzanares stopped short of prohibiting their use in the November 7 general election. Judge Manzanares did, however, order that new certification processes be developed for use in future elections and that the machines be recertified following the next month's election. He also ordered the state to develop and implement new security procedures immediately. The new rules include video surveillance of the storage areas in which they are kept and background checks on people who transport the machines. -http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti cleId=266452&intsrc=news_ts_head -http://origin.denverpost.com/news/ci_4407782 [Editor's Note (Schmidt): With all of the reports on e-voting pointing out vulnerabilities, testing flaws as well as publishing some easy, low cost mitigation processes it is amazing that we still continue to debate this. The report we did out of NYC Brennan center is available for anyone to use. -http://www.brennancenter.org/programs/downloads/SecurityExecSum7-3.pdf]
Virus Infected Computers at Maryland DSS Could Delay Assistance (30 September 2006)
Computers at Maryland's Department of Social Services have been plagued by viruses, raising concerns that some clients could face delays in receiving assistance. Officials maintain the situation is under control, but representatives from non-profit organizations say they cannot be sure until the beginning of October, as many welfare recipients receive their checks at the beginning of the month. -http://www.baltimoresun.com/news/local/bal-md.virus30sep30,0,2137404.story?coll= bal-local-headlines [Editor's Note (Ullrich): "Viruses" are usually more visible then other forms of malware, in particular bots. While news articles are not always accurate in naming different malware classes, it is likely that only the tip of the ice berg is visible at this point. Expect information breaches and fraud to follow. (Ranum): This has more implications than the obvious one. If machines are riddled with viruses, in today's malware environment, there's a decent chance they are also compromised with remote controlled trojans and other nasty things. Considering the agency in question, I'm extremely unsettled to hear that they have uncontrolled desktops that are out of control. ]
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Group Releases VML Flaw Fix for Unsupported Versions of Windows (30 September 2006)
An outside group has released a patch for the Windows VML flaw in older, unsupported versions of Windows. Microsoft released an out-of-cycle patch to address the flaw last week, but Microsoft no longer issues fixes for flaws in older versions, including Windows 98, Windows Millennium Edition and Windows 2000. The group provides the source code for the fixes they release and acknowledges it does not have resources equal to Microsoft's for creating and testing patches. -http://news.com.com/2102-1002_3-6121559.html?tag=st.util.print [Editor's Note (Pescatore): Old versions of Windows have way more security problems than just the VML flaw. Using third party patches is never a good idea for any enterprise - applying them to insecure unsupported operating systems is more likely to lead to self inflicted wounds that be the best way to prevent attacks. ]
Attackers Exploiting Windows Shell Flaw (30 September 2006)
Investigation Indicates Indian Call Center Data is Being Stolen and Sold (1 October 2006)
According to a program scheduled to air on British television on Sunday, October 1, sensitive personal data belonging to UK citizens are being stolen from call centers in India and sold to the highest bidder. The data include credit card information, passport and driver's license numbers and bank account details. Those selling the data also have access to taped conversations with US consumers in which they divulge sensitive information, such as credit card security numbers. -http://www.hindustantimes.com/news/181_1810545,00050003.htm -http://www.timesonline.co.uk/article/0,,2087-2383227,00.html
U. of Iowa Notifying Study Participants of Possible Data Breach (29 September 2006)
The University of Iowa is in the process of contacting 14,500 individuals whose Social Security numbers (SSNs) were stored in a computer that suffered an intrusion. The affected individuals participated in research studies about maternal and child health from 1995 until the present. Analysis indicates the attacks were automated and designed to find places to store digital video files; there is no evidence the data were accessed. Law enforcement authorities have been notified of the incident. The university has established an FAQ web page to help address questions and concerns. -http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060929/NEWS01/60929003 /1079 -http://www.psychology.uiowa.edu/faq.html
Oracle Security Hardening Checklist Release Announced at NS2006
Security researcher Paul Wright released a draft of the SANS Oracle Security Hardening Checklist, Version 3.1 at his Oracle Security talk at Network Security 2006. This is the most comprehensive document on Oracle Security available on the Internet and is based on the work of Wright, Finnigan, Litchfield, and the SANS SCORE research team. The draft document is released with a 30-day review period; please send comments to email@example.com. -http://www.sans.org/score/oraclechecklist.php
[Editor's Note (Pescatore): There has actually been strong progress in software coming hardened out of the box, other than voting machines, of course. ]
Experts Predict the Future The Ten Most Important Security Trends of the Coming Year
Mobile Devices 1. Laptop encryption will be made mandatory at many government agencies and other organizations that store customer/patient data and will be preinstalled on new equipment. Senior executives, concerned about potential public ridicule, will demand that sensitive mobile data be protected 10: Theft of PDA smart phones will grow significantly. Both the value of the devices for resale and their content will draw large numbers of thieves.
Government Action 5. Congress and state governments will pass more legislation governing the protection of customer information. If Congress, as expected, reduces the state-imposed data breach notification requirements significantly, state attorneys general and state legislatures will find ways to enact harsh penalties for organizations that lose sensitive personal information.
Attack Targets 2. Targeted attacks will be more prevalent, in particular on government agencies. Targeted cyber attacks by nation states against US government systems over the past three years have been enormously successful, demonstrating the failure of federal cyber security activities. Other antagonistic nations and terrorist groups, aware of the vulnerabilities, will radically expand the number of attacks. Targeted attacks on commercial organizations will target military contractors and businesses with valuable customer information. 3. Cell phone worms will infect at least 100,000 phones, jumping from phone to phone over wireless data networks. Cell phones are becoming more powerful with full-featured operating systems and readily available software development environments. That makes them fertile territory for attackers fueled by cell-phone adware profitability. 4. Voice over IP (VoIP) systems will be the target of cyber attacks. VOIP technology was deployed hastily without fully understanding security.
Attack Techniques 6. Spyware will continue to be a huge and growing issue. The spyware developers can make money so many ways that development and distribution centers will be developed throughout the developed and developing world. 7. 0-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide. Security vulnerability researchers often exploit the holes they discover before they sell them to vendors or vulnerability buyers like TippingPoint. 8. The majority of bots will be bundled with rootkits. The rootkits will change the operating system to hide the attacks presence and make uninstalling the malware almost impossible without reinstalling a clean operating system.
Defensive Strategies 9: Network Access Control will become common and will grow in sophistication. As defending laptops becomes increasingly difficult, large organizations will try to protect their internal networks and users by testing computers that want to connect to the internal network. Tests will grow from todays simple configuration checks and virus signature validation to deeper analysis searching for traces of malicious code.
How these trends were determined Twenty of the most respected leaders in cyber security developed this list. First each proposed the three developments that they each felt were most important. Then they compiled the list of more than 40 trends and voted on which were most likely to happen and which would have the greatest impact if they did happen. That resulted in a prioritized list. To validate their prioritization, they asked the 960 delegates at SANSFIRE in Washington to each prioritize the 40 trends. More than 340 did so. The SANSFIRE delegates input reinforced the experts prioritization and helped target the Top Ten.
Experts involved with the project
Stephen Northcutt, President of the SANS Technology Institute Johannes Ullrich, CTO of the Internet Storm Center Marc Sachs, Director of Internet Storm Center Ed Skoudis, CEO of Intelguarians and SANS Hacker Expliots course director Eric Cole, author of Hackers Beware and SANS CISSP Preparation Course Director Jason Fossen, SANS Course Director for Windows Security Chris Brenton, SANS Course Director for Firewalls and Perimeter Protection David Rice, SANS Course Director for Microsoft .Net Security Fred Kerby, CISO of the Naval Surface Warfare Center, Dahlgren Division Howard Schmidt, President of ISSA Rohit Dhamankar, editor of the SANS Top 20 Internet Security Vulnerabilities and @RISK Marcus Ranum, inventor of the proxy firewall Mark Weatherford, CISO of Colorado Clint Kreitner, CEO of the Center for Internet Security Eugene Schultz, CTO of High Tower Software Koon Yaw Tan, Security Expert for the Singapore Government Brian Honan, Irish Security Consultant Roland Grefer, Security Consultant Lenny Zeltzer, Security Practice Leader at Gemini Systems. Alan Paller, Director of Research at the SANS Institute
Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).
John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.
Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.
Johannes Ullrich is Chief Technology Officer of the Internet Storm Center, to the Editorial Board.
Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.
Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.
Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.
Alan Paller is director of research at the SANS Institute.
Clint Kreitner is the founding President and CEO of The Center for Internet Security.
Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.
Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.
Koon Yaw Tan leads the cyber threat intent team for Infocomm Development Authority (IDA) of the Singapore government.
Chuck Boeckman is a Principal Information Security Engineer at a non-profit federally funded research and development corporation that provides support to the federal government.
Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Roland Grefer is an independent consultant based in Clearwater, Florida.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/